HackTheBox - LaCasaDePapel

01:05 - Start of nmap 02:50 - Attempting to execute an VSFTPD Backdoor via MSF 03:40 - Discovering the backdoor opened 6200, discovering a weird shell 04:50 - Lets figure out what just happened 06:50 - Triggering the backdoor without Metasploit 09:05 - Exploring the Psy PHP Shell opened up by the backdoor 10:20 - Several functions for executing bash aren't working, checking disable_functions 11:40 - Attempting to bypass disabled_functions (does not work) 12:50 - Using ScanDir() and File_Get_Contents(), to explore the filesystem 14:50 - Identifying we are probably running as the Dali User (Unintended Path) 17:00 - Downloading CA.KEY, which is a private key to a webserver 21:40 - Using the CA.KEY to generate client certificates to access the HTTPS Page 30:25 - Weird it didn't work, lets just verify all our certificates are good 32:28 - This time it worked! We connected to the server 33:20 - Failing to add the certificate to BurpSuite 33:50 - Discovering File Traversal by editing the PATH variable 36:38 - Discovering the LFI just puts the path as Base64 Encoded 37:15 - Using the LFI to download the SSH Private Key 38:45 - Testing SSH Key against users on the box to gain access! 39:13 - UNINTENDED: Skipping the HTTPS Certificate - Generating SSH Keys to upload via PHP Shell 40:30 - UNINTENDED: Using file_put_contents() to append our public key to authorized_keys 41:30 - UNINTENDED: Using SSH to tunnel through Dali (SOCKS Proxy) 42:30 - UNINTENDED: Scanning ports on Dali that are listening on LocalHost 43:08 - UNINTENDED: Port 8000 is open, and its one step after the Reverse_Proxy that performs SSL Authentication! 45:35 - Running PSPY and LinEnum 50:20 - Using PSPY to view FileSystem Events which will show the cron 52:30 - Taking control of ~/memcached.ini because we own the folder! 54:45 - Exploiting the cron that utilizes memcached.ini to get a root shell -- Bonus 55:55 - Exploring how the SSL Authentication is working 60:00 - Exploring how the VSFTPD Backdoor was modi